Sharing session data on different sites on the same domain

[=?iso-8859-1?Q?Nils=20Hedstr=f6m?=]

I have a web farm that uses a state server for session management.

A user logs on to a website (www1.mysite.com).
When the same user visits www2.mysite.com I want the user to be logged in.
Right now it he is not logged in on www2.mysite.com (both sites use the same
state server).
The reason for this seems to be that the user gets a new SessionId when he
visits a new web server (www2.mysite.com for example).

If there was a way to add a domain='.mysite.com' to the session-cookie the
user would use the SessionId from www1.mysite.com on www2.mysite.com and
share session information (be logged in)..

What is the best way to accomplish this?
Does the solution work with every browsers and firewalls?

/Nils Hedströ

 

[chrisb]

One way to do it:
The first server authenticates the user and passes a token to the
browser e.g. a guid in a hidden form field.
The first server passes this token to the second server (e.g. through a
shared database).
The second server receives the token from the browser and checks to see
if it exists in the database, associates that with the user and
authenticates the user (setting it's own session cookie) and removes
the guid from the database.

Google for "single sign-on" (and msdn/security has lots of info - some
of their web security webcasts describe this method).

Chris.
http://blog.cecatech.co.uk/chrisb

 

[Rajesh CKR]

One way which we have acheived the above (in our case 2 web applications
inside same url) is by making some minor changes to the SQL procedures in
ASP session state database.

This may not be an acceptable solution if you are co hosting other websites
which are using session state in database....

Raj

 

[Robbe Morris [C# MVP]]

If you can spend some money, a really nice performance
alternative that will definitely support this (I do just
what you are talking about across sites and across
a web farm) is scaleout stateserver

http://www.eggheadcafe.com/articles/scaleout_server.asp

 

[=?iso-8859-1?Q?Nils=20Hedstr=f6m?=]

We are only hosting our own application.

The problem is that the client is given a new session id for every host.
That way there is no way the session data (including login information) can
be shared between hosts.
The only solution I see is adding a domain to the session-cooke (.mysite.com).
That way the client will use the same session id on all hosts in my domain.

/nisse

Hello Rajesh,

 

[=?iso-8859-1?Q?Nils=20Hedstr=f6m?=]

We are evaluating scaleout stateserver right now but it does not solve this
problem.

If the session-cookie is specific to a webserver (www1.mysite.com) he will
get a new session-cookie when he visits www2.mysite.com

The session-cookie must be domain-wide (by adding a domain- to the cookie).

/nisse
Hello Robbe Morris [C# MVP],

 

[Robbe Morris [C# MVP]]

Read my article more closely. The sample demonstrates
how to use scaleout's capability for sharing session
across different domains and different servers.

--
Robbe Morris - 2004-2006 Microsoft MVP C#
Earn money answering .NET questions
http://www.eggheadcafe.com/forums/merit.asp

We are evaluating scaleout stateserver right now but it does not solve
this problem.

If the session-cookie is specific to a webserver (www1.mysite.com) he will
get a new session-cookie when he visits www2.mysite.com

The session-cookie must be domain-wide (by adding a domain- to the
cookie).

/nisse
Hello Robbe Morris [C# MVP],

If you can spend some money, a really nice performance
alternative that will definitely support this (I do just
what you are talking about across sites and across
a web farm) is scaleout stateserver
http://www.eggheadcafe.com/articles/scaleout_server.asp

 

[=?iso-8859-1?Q?Nils=20Hedstr=f6m?=]

Your code does not use the session id when fetching the data.
It will never work in a production environment.

I would prefer if the solution is "seamless"=you access the session in the
same way as you normally would.

/nisse

Hello Robbe Morris [C# MVP],

Read my article more closely. The sample demonstrates how to use
scaleout's capability for sharing session across different domains and
different servers.

We are evaluating scaleout stateserver right now but it does not
solve this problem.

If the session-cookie is specific to a webserver (www1.mysite.com) he
will get a new session-cookie when he visits www2.mysite.com

The session-cookie must be domain-wide (by adding a domain- to the
cookie).

/nisse
Hello Robbe Morris [C# MVP],

If you can spend some money, a really nice performance
alternative that will definitely support this (I do just
what you are talking about across sites and across
a web farm) is scaleout stateserver
http://www.eggheadcafe.com/articles/scaleout_server.asp

I have a web farm that uses a state server for session management.
A user logs on to a website (www1.mysite.com).
When the same user visits www2.mysite.com I want the user to be
logged in.
Right now it he is not logged in on www2.mysite.com (both sites use
the
same state server).
The reason for this seems to be that the user gets a new SessionId
when he
visits a new web server (www2.mysite.com for example).
If there was a way to add a domain='.mysite.com' to the
session-cookie the user would use the SessionId from
www1.mysite.com
on www2.mysite.com and share session information (be logged in)..
What is the best way to accomplish this?
Does the solution work with every browsers and firewalls?
/Nils Hedström